voip security sip.edu workshop february 2007 walt magnussen, ph.d. director tamu itec
TRANSCRIPT
VoIP SecuritySip.EDU workshop
February 2007
Walt Magnussen, Ph.D.
Director TAMU ITEC
VoIP security• Major issues
– Span of control is often under separate entities on campus
– What is included – RTC
• VoIP
• H.323 and SIP video
• IM
• IPTV
– Separate network (virtual or physical) or converged.
– Is VoIP just another application or a service with specific requirements
– Is security a good or bad thing (layer 8, 9 and 10 issue)
Crux of problem• RTC traffic has specific requirements ITU-T G.1050
What to include:
• VoIP currently propritory versions of H.323 and SIP
• Video Conf. Mostly H.323 migrating to SIP
• IM - also supports SIP
• IPTV
Network solutions
• Separate IP network – if so why change from TDM in the first place
• Separate Virtual Network (VLANs)– Not really complete seperation but good
enough?
• All on one network – Best effort – not recommended– QoS – costly to manage
Security Approaches
• Three ways to architect security– Open– Use campus firewall– Use Session Border Controller for Voice
Open approach
• Feel that:– security breaks more things than it fixes (adds
latency, jitter etc.– Security is the responsibilty of the end device,
not the network
• Any security device tends to break the true peer-to-peer relationship of SIP
Use campus firewall
• Firewalls can be either state-free or statefull– Because of separation signaling and media,
must be statefull– Firewalls can do deep packet inspection but
may still miss many VoIP specific vulnerabilites (fuzzing, SPIT and sequential dialing)
Session Border Controller
• Acts as back-to-back user agent.
• Can add other voice specific features– Peering redirects– MOS based call redirect– NAT transversal assistance– Transcoding with some– Error concelement (i.e. echo)– Access point for Lawful Intercept (CALEA)
SBC demonstration
• A view of the TAMU ITEC Acme Packet SBC.
SBC manufactures
• Acme Packet
• Nextone
• Ditech
Future directions
• VoIP authentication and encryption– Proposals include:
• TLS – used to encrypt signaling stream• SRTP – used to encrypt media stream
http://www.tmcnet.com/voip/1104/FeatureSecurity.htm
• VPN clients not easy to implement on hardphones (wireline and wireless)
